Virtual Private Networks (VPNs) are a common means of establishing trust and user identity within corporate networks. The application of VPNs to mobile devices has made it possible for enterprises to get the same level of trust from mobile devices. However, many enterprise productivity applications reside outside conventional enterprise network boundaries, in cloud-based services. There is therefore a need to be able to access these services securely too, without having to establish their user identity individually with each service (most commonly by entering passwords to login to each such service).
VPNs typically establish user identity through the use of a pre-established secure credential on the user's device that is unlocked by the user entering a password or PIN, or more recently through biometrics, such as using the device to read a fingerprint. Such credentials are commonly in the form of PKI keys and certificates provisioned on the devices with the help of an Enterprise Mobility Management (EMM) solution (also known as a Unified Endpoint Management UEM). Pre-established secure credentials such as passwords typically vary from application to application, and can be cumbersome and difficult to manage especially if a user needs to memorize many passwords.
Users can use their smartphone/mobile device as a physical access device. For example, a service provider provides a mobile application that is installed on the user's physical access device. The mobile application receives a push notification asking the user to verify their identity. The user's physical access device prompts the user to unlock the phone (e.g., enter a password, provide a biometric to a Touch ID® fingerprint sensor, etc.) and approve or deny the request. However, some service providers may have more stringent requirements, and this type of process does not meet their security or privacy standards. For example, a user could install the mobile application on any physical device including those without adequate security controls (e.g., a spouse's device or home mobile device). This means that the user's identity can be verified by anyone in possession of the device. Someone who is not the user is able to unlock the physical device and approve the request even if they are not the user.
In addition, multi-factor use cases are evolving such that asking a user for a password may be considered cumbersome and unnecessary if a physical device can assert the user's identity. Users tends to forget passwords (especially if they are managing many different passwords for different devices), and this reduces their productivity and causes them to take insecure routes to gain access to resources and become productive again.